openobserve-helm-chart icon indicating copy to clipboard operation
openobserve-helm-chart copied to clipboard

Published 20 hours ago verified publisher icon openobserve

How to obtain the Authorization Header for K8S deployment

Open enlight3d opened this issue 9 months ago • 4 comments

Hello,

We're trying to do a complete automated CI/CD pipeline for deployment on our servers, is there a way to obtain the Authorization header from the openobserve release once the chart is installed to pass it to the openobserve collector chart ? Right now, we have to first wait for openobserve to be up and then log into it and get the header from the UI.

enlight3d avatar Feb 14 '25 17:02 enlight3d

So it is:

Recommended

Authorization: Basic base64("email:token")

Not possible to get the token as of now.

or

Not recommended

Authorization: Basic base64("email:password")

It's possible since you are setting the password.

prabhatsharma avatar Feb 14 '25 18:02 prabhatsharma

I tried Authorization: Basic base64("email:password") but didn't work

enlight3d avatar Feb 14 '25 21:02 enlight3d

Then you are doing something wrong. Follow this - https://openobserve.ai/docs/quickstart/#load-sample-data

prabhatsharma avatar Feb 15 '25 05:02 prabhatsharma

we are using the Terraform Helm provider as wrapper for the Helm release of OpenObserve in our shared platform environment, which enables us to to create random secrets and store them in Vault, that we can dynamically access from any other environment where we want to deploy the collector. The workflow is basically like this:

  1. deploying cnpg operator and cluster with a Terraform module and writing the database credentials to a Kubernetes secret
  2. Terraform module openobserve creates root user and auth header secrets and puts them into Vault
  3. same module is creating the Kubernetes secret for OpenObserve to consume the secrets from:
resource "kubernetes_secret" "openobserve" {
  metadata {
    name      = "openobserve-secrets"
    namespace = kubernetes_namespace.openobserve.metadata[0].name
  }
  data = {
    ZO_ROOT_USER_EMAIL           = var.o2_app_root_username
    ZO_ROOT_USER_PASSWORD        = random_password.openobserve_root_password.result
    ZO_META_POSTGRES_DSN         = "postgres://openobserve:${data.kubernetes_secret.cnpg.data["password"]}@openobserve-postgres-rw:5432/openobserve"
    ZO_META_POSTGRES_RO_DSN      = "postgres://openobserve:${data.kubernetes_secret.cnpg.data["password"]}@openobserve-postgres-ro:5432/openobserve"
    OPENFGA_DATASTORE_URI        = "postgres://openobserve:${data.kubernetes_secret.cnpg.data["password"]}@openobserve-postgres-rw:5432/openobserve"
    ZO_META_TRACING_HEADER_VALUE = "Basic ${var.o2_app_root_username}:${random_password.openobserve_auth_header.result}"
    AZURE_STORAGE_ACCOUNT_KEY    = var.o2_app_storage_account_key
    AZURE_STORAGE_ACCOUNT_NAME   = var.o2_app_storage_account_name
  }
}
  1. deploying openobserve-collector with an extra module where we look up the auth secret from Vault and use it in the deployment (after local base64 encoding):
data "vault_kv_secret_v2" "openobserve_auth_secret" {
  mount = "platform"
  name  = "openobserve/o2_auth_header"
}

locals {
  endpoint    = var.environment == "shared" ? "http://openobserve-router.openobserve.svc.cluster.local:5080/api/shared" : "https://openobserve.platform.domain.com/api/${var.environment}${var.cluster_number}"
  auth_header = base64encode("${data.vault_kv_secret_v2.openobserve_auth_secret.data["username"]}:${data.vault_kv_secret_v2.openobserve_auth_secret.data["password"]}")
}

....helm_release....
exporters:
  otlphttp/openobserve:
    endpoint: ${local.endpoint}
    headers:
      Authorization: "Basic ${local.auth_header}"
  otlphttp/openobserve_k8s_events:
    endpoint: ${local.endpoint}
    headers:
      Authorization: "Basic ${local.auth_header}"

kayahk avatar Jul 31 '25 14:07 kayahk